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ABSTRACT 

Sensor failure detection, isolation, and accommodation 
using a neural network approach is described. An 
autoassociative neural network is configured to perform 
dimensionality reduction on the sensor measurement 
vector and provide estimated sensor values. The sensor 
validation scheme is applied in a simulation of the 
T700 turboshaft engine in closed loop operation. 
Performance is evaluated based on the ability to detect 
faults correctly and maintain stable and responsive 
engine operation. The set of sensor outputs used for 
engine control forms the network input vector. 
Analytical redundancy is verified by training networks 
of successively smaller bottleneck layer sizes. Training 
data generation and strategy are discussed. The engine 
maintained stable behavior in the presence of sensor 
hard failures. With proper selection of fault 
determination thresholds, stability was maintained in 
the presence of sensor soft failures. 



NOMENCLATURE 

Variable 

Description 

N g 

% of gas generator design speed 

n; 

% of gas generator design speed 


indicated in cockpit 

Np 

% of power turbine design speed 

P* 

Compressor exit pressure 

Q S 

Shaft torque 

t 2 

Compressor inlet temperature 

t 45 

Interturbine gas temperature 

Wf 

Fuel flow rate 


INTRODUCTION 


On-line fault detection and diagnosis is an area with 
great potential. The ability to detect and isolate a fault 
as it happens allows immediate decisions to be made 
about system availability and likelihood of mission 
completion. In a battlefield environment, for example, 
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system unavailability may well have more dire 
consequences than the loss of some information. 

Sensor malfunctions are particularly pernicious in that 
they may lead to mission termination when all systems 
are in fact functioning properly. 

Variables in complex systems are often correlated and 
this information can be used to detect, isolate and 
recover incorrect sensor readings. Dunia, et al. 1 have 
categorized sensor faults into four classes: total failure, 
drift, loss of precision, and fixed bias. An early 
technique used to perform detection, isolation, and 
recovery was Kalman filtering. 2 * 3,4 The success of this 
approach is dependent upon the fidelity of the engine 
model embedded in the filter. 5 Another successful 
approach uses linear fault models. 6 Additionally, Guo 
and Nurre 7 have demonstrated how lost or incorrect 
sensor values can be recovered using the remaining 
valid measurements through a neural network, a 
precursor to this work. 

The fault detection, isolation, and accommodation 
(FDIA) method selected here was to integrate an 
autoassociative neural network into the path of 
information passed from the sensors back to the 
controlling entities. Responses to total failure and drift 
faults have been investigated here. Autoassociative 
neural networks have the general feature of being able 
to perform functional mappings. Kramer 8 and Saund 9 
have introduced and applied a specific network 
architecture that is effective for filtering and fault 
isolation. Among the principal advantages of this 
approach over competing methods is that identification, 
isolation, and accommodation can be done with a single 
passage of information through the network. 

T700 SYSTEM OPERATION 
The T700 is a turboshaft engine. It is used in the 
Blackhawk and Apache helicopter airframes. The 
principal input from the cockpit is the percent of 
collective stick. Engine operation is controlled by the 
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QUANTITY 

RECEIVING UNIT/ 
PRINCIPAL PURPOSE 

TYPE 

% power turbine speed ( N p ) 

ECU / Trim 

Proximity 

Compressor inlet temperature ( T 2 ) 

HMU / Fuel schedule 

Thermo-mechanical (bellows) 

% gas generator speed ( N g ) 

HMU / Fuel schedule 

Mechanical (fly weights) 

% gas generator speed ( N g ' ) 

Cockpit / Display 

Inductive 

Shaft torque ( Q s ) 

ECU / Load sharing 

Proximity 

Turbine inlet temperature ( T 45 ) 

ECU / Overtemperature 
protection 

T/C 

Compressor exit pressure ( P^ ) 

HMU / Fuel schedule 

Pneumo-mechanical (bellows) 

Trim signal 

HMU / N p governing 



Table 1. Sensors involved in control for the T700 engine. 




Time (sec) 


Figure 1. Schematic of the T700 closed loop system 
shown with and without sensor validation. Sensor 
validation is inserted in the feedback path to pass 
sensed values and estimates of faulted sensed values. 


Figure 2. Response of a simulated T700 closed loop 
system having no sensor validation scheme to a hard 
fault in sensed compressor exit pressure (P^) to 50 
psia at 0.25 seconds. 


Electrical Control Unit (ECU) and Hydromechanical 
Unit (HMU). The principal ECU control functions are 
to guard against power turbine overspeed and 
overtemperature as well as to maintain the power 
turbine at 100% of design speed by sending a trim 
signal to the HMU. A schematic of the closed loop 
system is shown in Figure 1. Detailed descriptions of 
the system operation are given by Duyar, et al., 10 
Curran and Levine, 1 1 and Prescott and Morris. 12 The 
sensors which form the engine control system inputs 
are listed in Table 1 . 

Examples of the potentially catastrophic response of 
traditional controllers to sensor faults can be readily 
simulated. The simulated response of a T700 engine 
without FDIA to a sudden loss of sensed compressor 
exit pressure (P s3 ) is shown in Figure 2 in the form of 


histories of critical engine parameters. The immediate 
effect of a loss in sensed compressor exit pressure is a 
loss in fuel flow (w f ) from the hydromechanical unit 
(HMU). St nsed drives a lever mechanism in the 
HMU. The mechanism has the function of creating the 
appropriate fuel flow past a metering valve by 
multiplying scheduled (w/P s3 ) by sensed P s3 . An 
abnormally low P^ reduces the flow area in the 
metering valve. As the rate of enthalpy release to the 
turbines diops, the speeds of both power turbine and 
gas generator spools decrease. This leads to a decrease 
in the actu il P^. The decrease in gas generator speed is 
sensed by he HMU. Shortly after the fault, it switches 
from scheduling fuel on a trim schedule to an 
acceleration schedule in response to the decreasing 
speed. Because the sensed P s3 does not rise as it would 
in normal engine operation, the fuel metering valve 
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Figure 3. Schematic representation of the 
autoassociative neural network architecture applied 
to sensor validation. Nodes in the demapping layers 
are typically nonlinear. Output nodes are typically 
linear. Bottleneck layer nodes may be either linear 
or nonlinear. 

output is reduced to the engine minimum flow rate and 
power turbine speed drops below 40% of design speed. 
The corresponding shaft torque, which keeps die 
helicopter aloft, drops to near zero. 

NEURAL NETWORK 

The autoassociative neural networks described by 
Kramer 8 and Saund 9 have three hidden layers. The first 
demaps the input data. The second layer, known as the 
bottleneck layer reduces the number of values passed to 
the system intrinsic degrees of freedom. The third layer 
maps this information to an output vector in the same 
space as the input vector. A schematic of the network 
architecture is shown in Figure 3. These networks have 
the property of mapping the input vector onto the 
nearest point on the functional surface generated by 
training. Enant elements of input vectors, then, become 
mapped to a vector with a smaller error. By using 
nonlinear processing elements in the mapping and 
demapping layers, nonlinear functionality can be 
captured during training. The bottleneck layer may be 
either linear or nonlinear. The output layer is typically 
linear. 

Selection of bottleneck layer size 
A critical value in applying the dimensionality 
reduction approach to a particular problem is the 
number of nodes in the bottleneck layer. If the number 
of nodes is greater than the system degrees of freedom, 
errant sensor information may be unnecessarily passed 
through the bottleneck layer. If the number is smaller 
than the degrees of freedom, the network outputs 
cannot adequately reconstruct the system behavior due 
to insufficient information having been passed through 


w 

E 



10000 


Epoch 

Figure 4. Error histories during training for 
different bottleneck layer sizes. The constancy for 
the three-noded case indicates loss of information 
through the network while the smaller error and 
steady decline in the four-noded case indicates a 
match between the system degrees of freedom and 
the bottleneck size. 

the bottleneck layer. One approach to finding the 
number of system degrees of freedom would be to use 
the equations governing the system to find the 
functional relations among them. Another is to examine 
and compare the performance of various network 
architectures. This can be particularly useful if (as is the 
case with the T700 engine system) more than one 
function is used to characterize these relationships 
depending upon the location within the operating 
envelope. 

Networks having different numbers of bottleneck nodes 
were trained on the same data set for the same number 
of epochs. It is anticipated that, below a certain number 
of bottleneck nodes, the sum of squared errors will 
have a distinctly larger minimum on account of the loss 
of critical information passing through the bottleneck. 

A comparison of the sums of squared errors as a 
function of epoch number is shown in Figure 4. Several 
trainings of each network architecture were performed 
using random initial guesses for nodal weights and 
biases in order to avoid training to a local error 
minimum. Based on these results, the appropriate 
bottleneck size was determined to be four nodes. 
Although the five-noded case had smaller error after 
the selected number of epochs, the error trend suggests 
the four-noded case could have been trained further to 
achieve the same error. Additionally, because of the 
similarity in the results among the four- and five-noded 
cases and the marked difference from the three noded 
case, it appears likely that the four-noded case passes 
the minimum amount of information for construction of 
an input vector estimate. 
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Cockpit 


Training Approach 

The selected network is both nonlinear and 
multilayered. As such, it will likely have local minima 
in its error surface. To ensure convergence to a global 
minimum, large momentum was included. Nyguen- 
Widrow 13 initial guesses for weights and biases and 
variable learning rate were also included to speed up 
convergence. Training data were generated from runs 
of a closed loop component-based real time nonlinear 
simulation. 14 Engine inlet temperature and torque 
demands ranged from -40° to 74° F and 1 16 to 410 ft- 
1b, respectively. This covers most of the engine 
operating envelope. The data were normalized by their 
nominal full scale values. Target vectors of normalized 
sensed steady state engine outputs were selected to 
resolve the operating envelope finely enough that the 
incremental change in each parameter was smaller than 
the fault threshold planned for it. Each training vector 
contained the sensed values of the parameters listed in 
Table 1. 

Training was performed in two steps. First, preliminary 
weights and biases were generated by training on a data 
set of 88 unfaulted engine output vectors for 
approximately 12,000 epochs. These weights and biases 
were used as initial guesses for a second training round 
in which vectors containing both faulted and unfaulted 
values were presented as input. In this set of 704 
vectors, 88% contained a fault in one sensed value. 

With the exception of N p , these faults were randomly 
biased by 10 to 100% of the unfaulted values. Because 
N p is to remain nearly constant over the entire T700 
operating envelope, the random perturbations in it 
ranged up to 10%. The second training required 
approximately 25,000 epochs. At the termination of 
training, the root-mean-squared error between input and 
output vector elements was approximately 4%. 

Integration into T700 Simulator 
The test bed was adapted from the simulation used to 
generate training data. 14 Subroutines for fault injection 
were inserted at points where sensed values were 
calculated. Up to three faults of preset type can be 
injected at scheduled times. The vector of sensed 
values enters the network at each time step, every 0.006 
seconds. If any estimated value differs from the 
corresponding input value by more than a preset 
threshold, the estimate rather than the sensed value is 
passed to the controller. For all subsequent time steps, 
the network takes as input the estimated values for any 
faulted sensors from the previous time step. Thus a 
sensor, once determined to be faulted, is removed from 
future calculations. A schematic of the fault creation 
and checking function integrated into the flow of 
information among the program modules representing 
the engine, HMU, and ECU is shown in Figure 5. 


% St :k N, 



Figure 5. Schematic display of the flow of 
information among the T700 engine, electrical 
control unit, and hydromechanical unit S, F, and C 
represent the sensor, fault injection, and fault 
checking and substitution, respectively. 

SIMULATION RESULTS 
Network matching of engine dynamic response 
The network tr ainin g results were based upon steady 
state engine behavior. In order to test the network’s 
ability to predict engine dynamic behavior, the network 
output based upon sensed values was compared with 
simulated engine quantities during and after a sudden 
change in load demand. The results are shown in Figure 
6 in which the collective stick is ramped from 50 to 53 
percent between 5 and 5.1 seconds. The discrepancy 
prior to 5 seconds is the result of modeling error in the 
network training. Most traces agree to approximately 
the same level following the stick movement. The 
principal exceptions are power turbine speed and 
compressor inlet temperature. The network was trained 
on constant power turbine speed. As such, the weights 
and biases pass a nearly constant power turbine speed 
estimate over a wide range of input values. 

Temperatu re data included a wide range, but 
information about the typical constancy of temperature 
was not pa^t of the training data. 

The response of an unfaulted engine to a change in 
demand is to begin hunting for a new equilibrium point 
at which the engine is kept in trim. To accomplish this, 
the trim signal goes through a fluctuation large enough 
to cause th s power turbine speed to overshoot. The 
decaying oscillations are centered about the steady state 
values for he new demand. Also, several other 
parameters fluctuate at the fuel control hunting 
frequency. These fluctuations are not all in phase with 
each other, however. No information on phase relations 
is included in the training data set. The network, by 
training on steady state trim values, apparently does not 
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Figure 6. Response of a healthy simulated T700 
closed loop system and the trained network to a 
sudden change in load demand. The collective stick 
was ramped from 50 to 53% from 5.0 to 5.1 
seconds. Some sensor lags are small enough to 
make sensed values indistinguishable from actual 
values. 

include an essential feature of the dynamic character of 
the ECU. The network estimate maintains the phase of 
the trim signal oscillation. The amplitude of oscillation, 
however, is much smaller. This will be shown later to 
have important consequences when the trim signal is 
determined to be faulted. 

Effect of threshold level 

Thresholds were initially selected to be on the order of 
twice the modeling error. The thresholds selected have 
a large bearing on the accuracy of the fault detected. If 
a fault level is selected too narrowly for a given 
parameter, the result can be a misdiagnosis, 
unnecessary removal of valid information from the 
control loop, and degradation of the FDIA capability. 
Similarly, if a fault level is selected too large for a 
given parameter, the result can be a misdiagnosis in 
another parameter. Two cases were run to illustrate 
both the latter behavior and proper behavior. 

When the fault injected is a ramp type, the gradual 
movement of the sensed value away from the actual 
value may lead to gradual changes in engine condition 
and in the corresponding correctly-sensed values. 

There are some combinations of fault thresholds for 
which the logic algorithm would correctly recognize 
the existence of a fault but incorrectly identify the 
sensor in which it was occurring. An example is shown 
in Figure 7. In this case, a ramp fault was injected to 
power turbine speed. The power turbine threshold was 
set to 10%. The ECU interprets the fault as an 


Time (sec) 

Figure 7. Response of the T700 system including 
sensor validation to a ramp fault in percent power 
turbine speed of 3%/second. Tolerance thresholds 
were 10% in power turbine speed and 0.1 volts in 
trim signal. The fault is initiated at 0.25 seconds. A 
spurious fault is detected in trim signal at 0.89 
seconds. A correct fault is detected in power turbine 
speed at 5.52 seconds. Some sensor lags are small 
enough to make sensed values indistinguishable 
from actual values. Following substitution, 
estimated and sensed trim signal values coincide. 

overspeed and reacts by changing the trim signal sent to 
the HMU. Fuel flow is correspondingly reduced and the 
actual power turbine speed decreases. The first fault 
detected is at 0.89 seconds in the trim signal. This is a 
spurious fault. The switching to the estimated trim 
value leads to a brief cessation of the power turbine 
deceleration. As the power turbine sensed speed 
continues to deviate further from the design point, the 
logic algorithm correctly detects the fault at 5.52 
seconds and replaces the sensed value with the 
estimate. The value of power turbine speed passed to 
the ECU is now within fractions of a percent of the 
design speed. This substitution leads to a sudden shift 
in the estimated trim signal passed by the network to 
the HMU. Fuel flow is correspondingly increased and 
the power turbine accelerates. From 5.52 to 7.51 
seconds, the sensed power turbine speed gradually 
declines from a value above the trim reference speed to 
a value below it. At 7.51 seconds, the ECU detects 
enough of an underspeed to act to retrim the engine. 
Again, the HMU continues to be passed the estimated 
trim signal. The result is increased acceleration of the 
power turbine. As the turbine accelerates, the estimated 
turbine speed rises above the trim reference speed and 
then remains constant. Although the ECU perceives an 
overspeed, no further corrective action is taken because 
the error is within the designed trim deadband. 
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Figure 8. Response of the T700 system Including 
sensor validation to a ramp fault in percent power 
turbine speed of 3%/second. Tolerance thresholds 
were 1% in power turbine speed and 0.1 volts in 
trim signal. The fault is initiated at 0.25 seconds. A 
correct fault is detected in power turbine speed at 
0.61 seconds. Some sensor lags are small enough to 
make sensed values indistinguishable from actual 
values. 

A second case was run with a smaller fault tolerance 
(1%) for percent power turbine speed. A single correct 
power turbine speed fault was detected at 0.61 seconds. 
These results are shown in Figure 8. When the 
estimated power turbine speed value is substituted for 
the sensed value, a small underspeed is detected. The 
ECU retrims the engine based on this and successive 
estimated values. At steady state, the actual and 
estimated power turbine speeds differ by 0.4 %. This 
bias exists because the estimated and design power 
turbine speeds agree closely enough that the ECU 
concludes the engine is in trim. 

Engine response to demand changes in presence of a 
sensor fault 

Once a sensor fault has been detected and 
accommodated, the engine will likely be expected to 
appropriately respond to subsequent changes in load 
demand. This was examined for two fault cases: the 
first in the trim signal and the second in compressor 
exit pressure. 

A negative ramp fault was injected for the trim signal 
case. These results are shown in Figure 9. Prior to fault 
detection, the HMU interprets this signal as a demand 
to increase fuel flow to compensate for a power turbine 
underspeed. As a result, the power turbine actually 


Time (sec) 

Figure 9. Response of the T700 system including 
sensor validation to a ramp fault in trim signal of 
-0.1 volts/second followed by a change in load 
demand. The trim signal tolerance threshold was 
0.1 volts. The fault is initiated at 0.25 seconds. A 
correct fault is detected in trim signal at 1.82 
seconds. The collective stick was ramped from 50 to 
53% from 5.0 to 5.1 seconds. Some sensor lags are 
small enough to make sensed values 
indistinguishable from actual values. Following 
substitution, estimated and actual trim signal 
values coincide. 

accelerates. When the fault is detected in the trim 
signal, the substituted value is larger and constant. The 
result is that the power turbine equilibrates to a steady 
overspeed value. At 5 seconds, the torque load on the 
output shaft is increased. The power turbine decelerates 
to below the design speed. For the power turbine to 
return to tnm, the dynamic character of the trim signal 
is very important. As mentioned earlier, the dynamic 
character of the trim signal during load demand 
changes is not captured by the steady state network 
training. The estimated trim signal does not increase 
enough to bring the engine back to trim. While a steady 
state is reached, the power delivered does not increase. 

A hard fau t in compressor exit pressure at 0.25 seconds 
is examine i in the second case. The results are shown 
in Figure 10. The fault is immediately detected. The 
substituted pressure is larger than the actual value. This 
has an immediate effect of increasing fuel flow and 
power turbine speed shortly thereafter. The ECU then 
acts to bring the engine back to trim. Due to the 
positive bias between actual compressor pressure and 
estimated compressor pressure, however, the system 
goes into a limit cycling mode as the HMU 
overschedi les fuel flow and the ECU acts in correction. 
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Figure 10. Response of the T700 system including 
sensor validation to a hard fault in sensed 
compressor exit pressure (P^) to 50 psia at 0.25 
seconds followed by a change in load demand. A 
correct fault is detected in at 0.252 seconds. The 
collective stick was ramped from 50 to 53% from 
5.0 to 5.1 seconds. Some sensor lags are small 
enough to make sensed values indistinguishable 
from actual values. 

It should be noted here that the second case is identical 
to the one described to demonstrate the system response 
to a sensor fault without validation (Figure 2). The 
sensor validation scheme applied here was effective at 
maintaining stable engine behavior where the 
consequences would otherwise likely have been 
catastrophic. 

When load demand is increased in the presence of a 
compressor exit pressure sensor fault, the result with 
sensor validation (Figure 10) is closer to healthy engine 
behavior (Figure 6) than is the trim signal sensor fault 
case (Figure 9). The power turbine briefly underspeeds 
and the system parameters oscillate as the ECU hunts 
for a new equilibrium. The principal feature 
distinguishing the post acceleration behavior in this 
case from the healthy engine is that the engine limit 
cycles whereas in the healthy case the oscillations 
decayed. The mean power delivered in the two cases, 
however, agree to within fractions of a percent. 

Multiple faults 

Multiple sensor faults are potentially more difficult to 
accommodate in that, with each successive fault, the 
amount of information available comes closer to the 
system’s minimum number of degrees of freedom. The 
test case selected included two faulty sensors: 
compressor exit pressure and power turbine speed. The 


Time (sec) 

Figure 11. Response of the T700 system including 
sensor validation to a hard fault in sensed 
compressor exit pressure (P^) to 50 psia at 0.25 
seconds followed by a hard fault in sensed power 
turbine speed (N p ) at 5.0 seconds. A correct fault is 
detected in at 0.252 seconds. Some sensor lags 
are small enough to make sensed values 
indistinguishable from actual values. 

signal from the former is used by the HMU while that 
of the latter is used by the ECU. The results are shown 
in Figure 11. Similar to previous cases, compressor 
exit pressure undergoes a hard fault at 0.25 seconds. 

The limit cycling response is as before. At 5.0 seconds, 
a hard power turbine speed sensor fault of 50% of 
actual speed is injected. It is immediately detected. 
Substitution with estimated speed distinctly reduces the 
oscillations in system parameters because the speed 
error inferred by the ECU is small and comparatively 
steady. The estimated power turbine speed is below the 
design speed. The ECU acts to accelerate the power 
turbine until the estimated value agrees with the design 
value. At steady state, the power turbine has in fact 
oversped by 0.8 %. 

Other fault combinations have yet to be tested. It is 
expected that combinations which include the trim 
signal will be problematic due to the inability of the 
present FDIA to recreate the necessary dynamic trim 
signal behavior. 

CONCLUDING REMARKS 
An autoassociative neural network has been created 
that maps normal T700 engine behavior to within 
tolerance thresholds over a wide range of torque 
demands and engine inlet conditions. This network has 
been integrated into a component-based real-time 
simulation and is effective at detecting sensor faults and 
substituting appropriate estimated sensor values given 
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an appropriate selection of fault thresholds. Among the 
issues yet to be addressed is the selection of tolerances 
to adequately identity faults from each sensor over a 
variety of flight conditions. Generally, the integration 
of a neural network-based sensor validation scheme 
into the closed loop engine operation resulted in stable 
engine behavior in response to faults. Hard sensor 
faults in any one of the sensed quantities were correctly 
detected and accommodated. System response in 
ramped cases depended upon the comparative sizes of 
fault detection thresholds. Unaccommodated, these 
sensor faults would have been catastrophic to the 
engine and airframe. The behavior around the time of 
variable substitution of the system with the integrated 
neural network is as expected in terms of engine and 
controller response. While the network embedded in 
the control has been shown to accommodate multiple 
sensor faults, this is not necessarily true of all multiple 
fault combinations. 

Future work might involve network training to include 
engine dynamic response and discrimination between 
sensor and system faults. Strategies for threshold 
selection might also be investigated, with respect to 
both minimization of misdiagnoses and engine-to- 
engine variation. 
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